Reversing

Post navigation

Recently I made some research in order to extract certain information from Blackberry application files. I found useful information on Dr. {B0lsen} blog (headers, section layout – really great work). I’ve investigated resources layout – it contains fields like application name, description, icon file etc. During my research I’ve been able to clarify some aspect of Dr. {Bolsen} description (still I’ll appreciate your work), and resulting in this paper.

Using IDA Pro disassembler. After installing Blackberry OS software to your PC, you can find firmware sfi file extracted to folder like C:\Program Files\Common Files\Research In Motion\Shared\Loader Files\<software version>\GPRS\. There is single sfi file named like rim8800g.sfi or rim0x84001503.sfi. It contains OS and DSPOS firmware. OS firmware contain system kernel and Java Machine. DSPOS is prabably a system partition image. I’ll explain how to disassemble OS firmware.

First you have to gather some information about sfi file. RiM released tools named Command-Line Programmer which allow you to load software to your device. This software can also be used to reveal branch of useful information about sfi file. Use: cfp fileinfo file.sfi and you will see in which address space OS will be loaded (OS Address) and so on. Save it to file, it help us to set proper disassembler options.

Now open sfi with HEX editor (e.g. WinHex). First 8 bytes are file header – you can skip them. The next 4 bytes is section id. If it is 0x02 (little indian byte order) – that is what we are looking for. Id 0x02 correspond to OS firmware section and I suppose it is always first section. Write down next four bytes and subtract 0x10 (16 decimal). Result is section size. E.g. data BC0B6900 correspond to 690BAC size (BC0B6900 in little endian is 00690BBC and minus 0x10 is 690BAC). Skip next four bytes and you are where the section data begins (first section starts always at 0x14 offset). In WinHex you can mark beginning of block using Alt + 1. Next go to the section end – go 690BAC bytes forth (in WinHex Alt + G, then select relative to: current position and type the offset, then go back 1 byte). Copy whole section data into new bin file (WinHex: select block end – Alt + 2 and copy block into new file – Ctrl + Shift + N). Now you have OS firmware extracted.

To disassemble run IDA, open your bin file, change processor type to XScaleL and click OK. ROM and RAM section addresses you can find in cfp log (named as OS Address and RAM usage). Input file loading address set to ROM start address and click OK. Now go to App Start address and press C. It will start disassembling process here. You can use also interrupt vectors (first 32 bytes) to get some code entry-points.

In this point, everything looks great. But there is one problem – google can’t find papers about Blackberry CPU. I don’t know how I/O ports are mapped (in ARM they are mapped to some memory space, there is no special commands like in, out). So any informations will be welcomed.

About year ago I got my first Blackberry device. Of course I did some research of what we can do with it. I mean of course, more than RiM allow us to do.

First I’ve got my phone debranded. That involves uploading branding file to device. When I did that, I started to wonder if I could edit or create my own branding file with my own splashscreen image or other data changed. I found some VSM file format description (but incomplete). I did my own research (including software disassembling) and finally I created VSMTools. It’s an easy-to-use command line tools which allow you to extract, edit or create your own VSM file.

VSMTools v0.6 is my tool to extract, edit and create branding VSM files. I’ve also documented VSM file structure. I got it all except sign section. VSM files are digitally signed and as far as I know it is done by RSA-SHA1 private key and the public key (which I covered in this document). It is used to check the file integrity. I can’t tell any more about the sign mechanism, if you do have any information about that, please contact me. Sign section may be not present in VSM. Blackberry 8800 accept unsigned files, but maybe some newer devices don’t.

Siemens SL45i (or SL45, SL42 – it’s the same phone) is – in my opinion – the best cellphone of it’s time. I spend a lot of time reversing it’s software and try to making it better by developing patches. Scene of patching this phone was very busy, hundred of patches was developed. In some point, RizaPN, most recognizable patchmaker created “Binary File Access” – patch that allow us to load and run executable files from memory card. I’ve developed some of that files, even wrote a simple game. I collected all patches which I still have. Some of them are missing, so it is not complete pack, but the most important ones are present. If you have any of my missing patches – please contact me.

Some of the most productive patchmakers which I’d like to recall are: RizaPN, lalo.lerry, mamaich, Chaos, DeadManS, rc-flitzer, ValeraVi, vBart and many others. Thank you guys.

Siemens SX1 – I developed several flash patches between March and December of 2007. This patches are in sxpr format – it is APatcher format. Just to see files you could use Microsoft Word, Wordpad or OpenOffice Writer. This files contain some Wordpad formatting so it is not convenient to open them in notepad.